GIFTEDCROOK malware upgraded for targeted espionage

A once-simple browser data stealer is now harvesting documents and intelligence from Ukrainian government and military targets.

What happened

The GIFTEDCROOK malware, previously identified as a browser credential stealer, has changed into a sophisticated intelligence-gathering tool. The malware is attributed to the threat actor group UAC-0226 and is currently being used in phishing campaigns targeting Ukrainian military and government entities.

GIFTEDCROOK now collects a wider range of sensitive data, including recent documents, spreadsheets, and image files from infected machines. The malware is typically deployed via phishing emails containing macro-enabled Excel attachments disguised as military-related alerts.

Going deeper

Originally detected in April 2025 by Ukraine’s Computer Emergency Response Team (CERT-UA), GIFTEDCROOK has seen rapid development since its early demo version in February. With the release of versions 1.2 and 1.3, its functionality has expanded well beyond browser data theft.

The malware now targets files under 7 MB, especially those created or modified in the past 45 days. Specific file extensions include common document, spreadsheet, email, image, archive, and VPN configuration formats. Once collected, the files are bundled into ZIP archives and sent to a Telegram channel controlled by the attackers. If the archive is larger than 20 MB, it is split into parts to evade detection. The malware also includes a batch script to erase traces from the infected host once data is exfiltrated.

More recent phishing emails use military-themed PDF lures to direct users to malicious Excel files hosted on Mega cloud storage. Because macro-enabled Excel workbooks are widely used in legitimate business communications, they often evade standard email security filters.

What was said

Researchers observed that GIFTEDCROOK’s latest campaigns align with recent geopolitical events, including negotiations between Ukraine and Russia. The evolution from basic credential theft to targeted document exfiltration, they argue, reflects an intentional shift toward cyber espionage.

CERT-UA and other cybersecurity professionals warn that malware like GIFTEDCROOK can compromise not just individual users, but also the broader government systems and networks they’re connected to.

The big picture

The emergence of GIFTEDCROOK shows how attackers are adapting everyday workplace tools, such as Excel spreadsheets, for malware delivery. 

FAQs

What makes macro-enabled Excel files risky in phishing campaigns?

Macros are scripts embedded in Excel files that can automate tasks. Attackers often hide malicious code in them, and since Excel files are common in professional settings, users may not suspect foul play when prompted to enable macros.

Why are files under 7 MB specifically targeted by GIFTEDCROOK?

Smaller files are easier to transfer covertly and are less likely to trigger size-based filters or bandwidth monitoring tools, allowing data to exit the network more discreetly.

What is the role of Telegram in this malware’s operation?

Telegram is used by the attackers as a command-and-control (C2) channel to receive the stolen data. Its encrypted messaging features and wide availability make it difficult to block or trace.

How does breaking ZIP files into smaller parts help evade detection?

Splitting large archives into smaller segments reduces the chance of detection by security tools monitoring for unusually large outbound data transfers.

Can traditional antivirus tools detect GIFTEDCROOK?

Detection depends on the malware version and the security solution in place. Because the malware erases itself after exfiltration and uses obfuscation techniques, it may evade basic antivirus programs unless they're regularly updated with threat intelligence.